def get_keypair(config = None): if not config: config = SfaConfig() hierarchy = Hierarchy() key_dir= hierarchy.basedir data_dir = config.data_path keyfile =data_dir + os.sep + "server.key" certfile = data_dir + os.sep + "server.cert" # check if files already exist if os.path.exists(keyfile) and os.path.exists(certfile): return (keyfile, certfile) # create temp keypair server key and certificate (_, tmp_keyfile) = tempfile.mkstemp(suffix='.pkey', prefix='tmpkey', dir='/tmp') (_, tmp_certfile) = tempfile.mkstemp(suffix='.cert', prefix='tmpcert', dir='/tmp') tmp_key = Keypair(create=True) tmp_key.save_to_file(tmp_keyfile) tmp_cert = Certificate(subject='subject') tmp_cert.set_issuer(key=tmp_key, subject='subject') tmp_cert.set_pubkey(tmp_key) tmp_cert.save_to_file(tmp_certfile, save_parents=True) # request real pkey from registry api = ComponentAPI(key_file=tmp_keyfile, cert_file=tmp_certfile) registry = api.get_registry() registry.get_key() key = Keypair(filename=keyfile) cert = Certificate(subject=hrn) cert.set_issuer(key=key, subject=hrn) cert.set_pubkey(key) cert.sign() cert.save_to_file(certfile, save_parents=True) return (keyfile, certfile)
def testSaveAndLoadString(self): cert = Certificate(subject="test") cert.add_extension("subjectAltName", 0, "URI:http://foovalue") # create an issuer and sign the certificate issuerKey = Keypair(create=True) issuerSubject = "testissuer" cert.set_issuer(issuerKey, issuerSubject) cert.sign() certstr = cert.save_to_string() #print certstr cert2 = Certificate() cert2.load_from_string(certstr) # read back the subject and make sure it is correct subj = cert2.get_subject() self.assertEqual(subj, "test") # read back the issuer and make sure it is correct issuerName = cert2.get_issuer() self.assertEqual(issuerName, "testissuer") # read back the extension and make sure it is correct self.assertEqual(cert2.get_extension("subjectAltName"), "URI:http://foovalue")
def testVerify(self): cert = Certificate(subject="test") # create an issuer and sign the certificate issuerKey = Keypair(create=True) issuerSubject = "testissuer" cert.set_issuer(issuerKey, issuerSubject) cert.sign() result = cert.verify(issuerKey) self.assert_(result) # create another key issuerKey2 = Keypair(create=True) issuerSubject2 = "wrongissuer" # and make sure it doesn't verify result = cert.verify(issuerKey2) self.assert_(not result) # load the cert from a string, and verify again cert2 = Certificate(string = cert.save_to_string()) result = cert2.verify(issuerKey) self.assert_(result) result = cert2.verify(issuerKey2) self.assert_(not result)
def testLongExtension(self): cert = Certificate(subject="test") # should produce something around 256 KB veryLongString = "URI:http://" shortString = "" for i in range(1, 80): shortString = shortString + "abcdefghijklmnopqrstuvwxyz012345" for i in range(1, 100): veryLongString = veryLongString + shortString + str(i) cert.add_extension("subjectAltName", 0, veryLongString) # create an issuer and sign the certificate issuerKey = Keypair(create=True) issuerSubject = "testissuer" cert.set_issuer(issuerKey, issuerSubject) cert.sign() certstr = cert.save_to_string() cert2 = Certificate() cert2.load_from_string(certstr) val = cert2.get_extension("subjectAltName") self.assertEqual(val, veryLongString)
def get_cert_file(self, key_file): cert_file = os.path.join(self.options.sfi_dir, self.user.replace(self.authority + '.', '') + ".cert") if (os.path.isfile(cert_file)): # we'd perfer to use Registry issued certs instead of self signed certs. # if this is a Registry cert (GID) then we are done gid = GID(filename=cert_file) if gid.get_urn(): return cert_file # generate self signed certificate k = Keypair(filename=key_file) cert = Certificate(subject=self.user) cert.set_pubkey(k) cert.set_issuer(k, self.user) cert.sign() self.logger.info("Writing self-signed certificate to %s"%cert_file) cert.save_to_file(cert_file) self.cert = cert # try to get registry issued cert try: self.logger.info("Getting Registry issued cert") self.read_config() # *hack. need to set registyr before _get_gid() is called self.registry = xmlrpcprotocol.get_server(self.reg_url, key_file, cert_file, timeout=self.options.timeout, verbose=self.options.debug) gid = self._get_gid(type='user') self.registry = None self.logger.info("Writing certificate to %s"%cert_file) gid.save_to_file(cert_file) except: self.logger.info("Failed to download Registry issued cert") return cert_file
def init_self_signed_cert(hrn, key, server_cert_file): logger.debug("generating self signed cert") # generate self signed certificate cert = Certificate(subject=hrn) cert.set_issuer(key=key, subject=hrn) cert.set_pubkey(key) cert.sign() cert.save_to_file(server_cert_file)
def testSign(self): cert = Certificate(subject="test") # create an issuer and sign the certificate issuerKey = Keypair(create=True) issuerSubject = "testissuer" cert.set_issuer(issuerKey, issuerSubject) cert.sign()
def create_server_keypair(keyfile=None, certfile=None, hrn="component", verbose=False): """ create the server key/cert pair in the right place """ key = Keypair(filename=keyfile) key.save_to_file(keyfile) cert = Certificate(subject=hrn) cert.set_issuer(key=key, subject=hrn) cert.set_pubkey(key) cert.sign() cert.save_to_file(certfile, save_parents=True)
def self_signed_cert_produce(self, output): self.assert_private_key() private_key_filename = self.private_key_filename() keypair = Keypair(filename=private_key_filename) self_signed = Certificate(subject=self.hrn) self_signed.set_pubkey(keypair) self_signed.set_issuer(keypair, self.hrn) self_signed.sign() self_signed.save_to_file(output) #self.logger.debug("SfaClientBootstrap: Created self-signed certificate for %s in %s"%\ #(self.hrn,output)) return output
def self_signed_cert_produce (self,output): self.assert_private_key() private_key_filename = self.private_key_filename() keypair=Keypair(filename=private_key_filename) self_signed = Certificate (subject = self.hrn) self_signed.set_pubkey (keypair) self_signed.set_issuer (keypair, self.hrn) self_signed.sign () self_signed.save_to_file (output) self.logger.debug("SfaClientBootstrap: Created self-signed certificate for %s in %s"%\ (self.hrn,output)) return output
def create_server_keypair(keyfile=None, certfile=None, hrn="component", verbose=False): """ create the server key/cert pair in the right place """ key = Keypair(filename=keyfile) key.save_to_file(keyfile) cert = Certificate(subject=hrn) cert.set_issuer(key=key, subject=hrn) cert.set_pubkey(key) cert.sign() cert.save_to_file(certfile, save_parents=True)
def get_node_key(registry=None, verbose=False): # this call requires no authentication, # so we can generate a random keypair here subject="component" (kfd, keyfile) = tempfile.mkstemp() (cfd, certfile) = tempfile.mkstemp() key = Keypair(create=True) key.save_to_file(keyfile) cert = Certificate(subject=subject) cert.set_issuer(key=key, subject=subject) cert.set_pubkey(key) cert.sign() cert.save_to_file(certfile) registry = server_proxy(url = registry, keyfile=keyfile, certfile=certfile) registry.get_key_from_incoming_ip()
def get_node_key(self): # this call requires no authentication, # so we can generate a random keypair here subject = "component" (kfd, keyfile) = tempfile.mkstemp() (cfd, certfile) = tempfile.mkstemp() key = Keypair(create=True) key.save_to_file(keyfile) cert = Certificate(subject=subject) cert.set_issuer(key=key, subject=subject) cert.set_pubkey(key) cert.sign() cert.save_to_file(certfile) registry = self.get_registry() # the registry will scp the key onto the node registry.get_key_from_incoming_ip()
def get_node_key(registry=None, verbose=False): # this call requires no authentication, # so we can generate a random keypair here subject = "component" (kfd, keyfile) = tempfile.mkstemp() (cfd, certfile) = tempfile.mkstemp() key = Keypair(create=True) key.save_to_file(keyfile) cert = Certificate(subject=subject) cert.set_issuer(key=key, subject=subject) cert.set_pubkey(key) cert.sign() cert.save_to_file(certfile) registry = server_proxy(url=registry, keyfile=keyfile, certfile=certfile) registry.get_key_from_incoming_ip()
def get_node_key(self): # this call requires no authentication, # so we can generate a random keypair here subject="component" (kfd, keyfile) = tempfile.mkstemp() (cfd, certfile) = tempfile.mkstemp() key = Keypair(create=True) key.save_to_file(keyfile) cert = Certificate(subject=subject) cert.set_issuer(key=key, subject=subject) cert.set_pubkey(key) cert.sign() cert.save_to_file(certfile) registry = self.get_registry() # the registry will scp the key onto the node registry.get_key()
def test_is_signed_by(self): cert1 = Certificate(subject="one") key1 = Keypair() key1.create() cert1.set_pubkey(key1) # create an issuer and sign the certificate issuerKey = Keypair(create=True) issuerSubject = "testissuer" cert1.set_issuer(issuerKey, issuerSubject) cert1.sign() cert2 = Certificate(subject="two") key2 = Keypair(create=True) cert2.set_pubkey(key2) cert2.set_issuer(key1, cert=cert1) # cert2 is signed by cert1 self.assert_(cert2.is_signed_by_cert(cert1)) # cert1 is not signed by cert2 self.assert_(not cert1.is_signed_by_cert(cert2))
def test_parents(self): cert_root = Certificate(subject="root") key_root = Keypair(create=True) cert_root.set_pubkey(key_root) cert_root.set_issuer(key_root, "root") cert_root.sign() cert1 = Certificate(subject="one") key1 = Keypair(create=True) cert1.set_pubkey(key1) cert1.set_issuer(key_root, "root") cert1.sign() cert2 = Certificate(subject="two") key2 = Keypair(create=True) cert2.set_pubkey(key2) cert2.set_issuer(key1, cert=cert1) cert2.set_parent(cert1) cert2.sign() cert3 = Certificate(subject="three") key3 = Keypair(create=True) cert3.set_pubkey(key3) cert3.set_issuer(key2, cert=cert2) cert3.set_parent(cert2) cert3.sign() self.assert_(cert1.verify(key_root)) self.assert_(cert2.is_signed_by_cert(cert1)) self.assert_(cert3.is_signed_by_cert(cert2)) cert3.verify_chain([cert_root]) # now save the chain to a string and load it into a new certificate str_chain = cert3.save_to_string(save_parents=True) cert4 = Certificate(string = str_chain) # verify the newly loaded chain still verifies cert4.verify_chain([cert_root]) # verify the parentage self.assertEqual(cert4.get_parent().get_subject(), "two") self.assertEqual(cert4.get_parent().get_parent().get_subject(), "one")